It is a no-brainer that two-factor authentication in and of itself is not a magic bullet that will simply stop identity theft cold. You don't have to be a rocket scientist or a cryptologist (ahem) to understand that identity theft is a complex issue and is not simply an authentication problem; among other things, it is also a transaction-security problem.

Perhaps the community at large would be better served if the authors of these sensational and negative headlines regarding the FFIEC recommendations took the time to re-read and understand the recommendations in full:

Clearly nowhere in the text of the document does it imply that banks are recommended to simply replace one-factor authentication with two-factor authentication and thereby solve our entire Internet banking system's problems.

"Security is never black and white and context matters more then technology" ( Bruce Schneier, Secrets and Lies. To single out for criticism one component of the recommended changes to Internet banking systems such as two factor authentication, rather then examining the effect on security of applying the complete set of recommendations is naive and perhaps "conveniently" simplistic.

Personally I applaud the FFIEC for stepping up to the plate in the face of mounting losses from Trojans and Malware stealing customer credentials and ravaging their respective bank accounts. For too long the answer from some financial institutions unfortunately, has been their limiting or completely denying any responsibility for customer losses involving compromised accounts, claiming that it was not a failure of "their" system-- it was the victim's fault for not properly securing their personal PC.

In one particular Miami Florida case, the user's PC was compromised with a key logger Trojan (Coreflood) and $90,000 was removed from his account at Bank of America. The Bank (Bank of America) refused to accept any responsibility as in their view it was not the fault of their system; the user's PC was compromised and it was the victim's responsibility to secure his PC properly. The user is now suing the bank to recover his losses - the court system will now ultimately decide "who" was responsible.

From my perspective these are the first meaningful steps in the internet banking community's recognition that customer transactions will be carried out on non-secure PCs over a hostile Internet. Prior to the October 2005 recommendations from the FFIEC, ordinary users (certainly not security experts) were effectively held responsible for securing their systems in light of the inadequate authentication mechanisms, lax internal controls and in some cases a complete lack of internal fraud detection systems within financial institutions.

Financial institutions' reliance on single-factor authentication, permitting a series of transactions to occur after non-securely authenticating the user but without authenticating the transaction, coupled with a lack of layered security and inadequate back-end systems to recognize fraud, have left the door wide open for malicious hackers - exposing internet banking customers to unacceptable risk.

Prior to the FFIEC recommendations financial institutions were only being tactical in nature and were simply reacting to issues as they arose. On-screen keyboards, secondary PIN numbers embedded in graphic images to authenticate the server, elaborate multifactor authentication mechanisms including out of band authentication that authenticated the user exclusive of authenticating the transaction have all been knee jerk reactions that have failed miserably.

As a security professional, I view the FFIEC recommendations as a welcome strategic alternative to the knee jerk tactical solutions and repeated subsequent failures in Internet banking we have experienced to date.

Two-factor authentication in the form of smart tokens in and of themselves are just as viable today as they were in 1995 when Michael James and Bruce Schneier published a paper entitled "Securing the Worldwide Web: Smart Tokens and Their Implementation," where effectively they stated that, "smart tokens have the potential to revolutionize expansion in products and services that can be offered on internetworked systems... and would underpin the future of electronic commerce on the web." www.w3.org/Conferences/WWW4/Papers/330

Two-factor authentication devices like Smart Tokens used exclusively to authenticate the user, can in fact, successfully mitigate the risk of many of the most common threats we see today that take advantage of the inherent insecurity in static one-factor authentication. Snail mail theft or "dumpster diving"- based ID theft and basic Internet Phishing / Pharming exploits (whereby the stolen static credentials are later used in accessing a users bank or financial accounts via the Internet) could be thwarted by two-factor authentication.

The problems that some are claiming can not be solved by two-factor authentication in the current threat environment are not integral to the two-factor authentication devices themselves, but perhaps are problems that might arise due to the way the devices could be foolishly applied.

Some propose that two-factor authentication would fail in a Man-In-The-Middle (MITM) type of attack whereby a user's PC that was fully compromised by a Trojan, where the malicious code simply waited for the user to authenticate with two-factor authentication and then simply piggybacked fraudulent transactions on the authenticated session.

The purported failure of two-factor authentication opportunistically assumes the financial application incorrectly uses two-factor authentication as a direct replacement for one-factor authentication without addressing the issue at hand. The current threat environment clearly necessitates the authentication of both the user and each individual transaction separately.

Using two-factor authentication as part of a scheme that authenticates both the user and transaction independently / separately can in fact mitigate the risk of a MITM attack.

In closing;

While the recommendations from the FFIEC single out the ineffectiveness of current single point authentication mechanisms and clearly recommend that two-factor authentication be utilized to facilitate internet financial transactions, it must be recognized that the use of two-factor authentication, while important, is but one of the many components in the recommendations for an effective financial system security strategy.

Any consideration of two-factor authentication as part of financial system security (or for that matter any individual component) should include the complete context of the recommendation-- in this case:

When considered in this 'complete' context, two-factor authentication is a key component for a successful internet financial transaction system.

Paul Henry, Senior Vice President, is one of the world's foremost global information security experts, with more than 20 years experience managing security initiatives for Global 2000 enterprises and government organizations worldwide. At CyberGuard, Henry plays a key strategic role in launching new products and re-tooling existing product lines. In his role as Sr. Vice President, Henry also advises and consults on some of the world's most challenging and high risk information security projects, including the National Banking System in Saudi Arabia, Department of Defense's Satellite Data Project, USA, and NTT Data in Japan.

Henry is a frequently cited by major and trade print publications as an expert on both technical security topics and general security trends, and serves as an expert commentator for network broadcast outlets such as NBC and CNBC. In addition, Henry regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at network security seminars and conferences worldwide, delivering presentations on diverse topics including network access control, Cyber crime, DDoS attack risk mitigation, firewall architectures, computer and network forensics, Enterprise security architectures and managed security services.

CyberGuard is exhibiting at Infosecurity Europe 2006 which is Europe's number one information Security Event. Now in its 11th year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 10,000 visitors from every segment of the industry. Held on the 25th - 27th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital Group